Download:
pdf |
pdfUS Securities and Exchange Commission
Office ofInformation Technology
Alexandria, VA
PRIVACY IMPACT ASSESSMENT (PIA)
Investment Adviser Registration Depository (lARD)
Division of Investment Management
Office of Investment Adviser Regulation
�Privacy Impact Assessment
Investment Adviser Registration Depository (lARD)
lARD System HU.""f'>"'~ Division of Investment Management, Office of
Investment Adviser Regulation,
2.
(Name, Title, Organization, Telephone Number)
lARD System~sion of Investment Management, Office of
Investment Adviser Regulation,--
GENERAL INFORMATION- System/Project Information
1. Name of Project or System.
Investment Adviser Registration Depository (lARD).
2. Description of Project or System.
lARD is a web-based electronic registration depository of information filed on Form ADV
by investment advisers that eliminated the need for paper filings of Form ADV. lARD is
used to help the SEC staff process applications for registration or exemption and related
forms under the Investment Advisers Act of 1940 and to implement the Federal securities
laws and rules. Sections 203(c) and 204 of the Advisers Act [15 U.S.C. §§ 80b-3(c) and 80b
4] authorize the SEC to collect the information required by Form ADV. The SEC collects
the information for regulatory purposes, such as deciding whether to grant registration.
Filing Form ADV is mandatory for advisers who are required to register with the SEC. The
SEC maintains the information submitted on this form and makes it publicly available.
3. What is the purpose of the Project or System?
The lARD serves as a readily accessible database to receive, and respond to, inquiries regarding
disciplinary actions, proceedings and public information about investment advisers and persons
associated with investment advisers. Only limited personally identifiable information is
collected by lARD which are (i) social security numbers (only for trusts usually) to identify
legal entities when no other identifiers are available, (ii) private addresses if the advisory
business is run from a private address since a location of the business is needed for OCIE
inspections and correspondence from the SEC, and (iii) CRD numbers, which are assigned
by FINRA, are provided to individuals who need to list an identification number on Form
ADV (this number is automatically assigned by the system after a social security number and
birth date for an individual are entered).
Any personal identifying information collected is required to positively identify the location,
person, or entity as part of the registration and examination of investment advisers as
provided under the Investment Advisers Act of 1940 and the rules the SEC has adopted
thereunder.
4. Requested Operational Date?
The lARD system has been operational since 2001.
Revised 2009
Page 2
�Privacy Impact Assessment
Investment Adviser Registration Depository (lARD)
5. System of Records Notice (SORN) number?
SEC-1 0, Correspondence file Pertaining to Registered Investment Advisers, and SEC-50,
Investment Adviser Records, are the existing system of record notice numbers related to
lARD.
6. Is this an Exhibit 300 project or system? If yes, this PIA must be submitted to OMB.
No.
7. Is this an agency's system or a contractor's system?
Contractor system. Financial Industry Regulatory Authority (FINRA) Regulation, Inc., a
self-regulatory organization subject to SEC oversight, is the contractor.
8. What specific legal authorities, arrangements, and/or agreements defined the collection
of data?
Investment Advisers Act of 1940, section 204.
SECTION I- Data in the System
The following questions define the scope of the data collected and reasons for its collection as
part of the system and/or technology being developed.
1. What data is to be collected?
Form ADV and variant Form ADV data is collected. This includes name of investment
advisers (usually a firm name, but it could be the name of an individual ifthe adviser is
formed as a sole proprietorship), name of owners, birth date of individual owners (used
solely to create a CRD number for use on the Form ADV), social security number of
individual owners (used solely to create a CRD number for use on the Form ADV), social
security number of a trust, mailing address of advisory business, telephone number of
advisory business/Chief Compliance Officer/Contact employee, email address of Chief
Compliance Officer/Contact employee, fax number of advisory, CRD number, SEC number,
IRS tax number of owners (if no CRD number), Employer ID number of owners (if no CRD
number), criminal/civil judicial/regulatory disclosures required by Item 11 of Form ADV for
the advisory, employees, and certain affiliates ofthe adviser, year of birth/formal post high
school education/business background/material disciplinary information of supervised
employees providing investment advice (Form ADV Part 2B).
2. Is the Social Security Number (SSN) Collected?
Yes. Social security numbers are collected in order to (1) assign a CRD number for use on
the Form ADV by owners, (2) identify an owner that is a trust.
3. What are the sources of the data?
Investment adviser businesses provide the information as part of a registration statement.
4. Why is the data being collected?
Any personal identifying information collected is required to positively identify the location,
person, or entity as part of the registration and examination of investment advisers as
Revised 2009
Page 3
�Privacy Impact Assessment
Investment Adviser Registration Depository (lARD)
provided under the Investment Advisers Act of 1940 and the rules the SEC has adopted
thereunder.
5. What technologies will be used to collect the data?
The data will be collected through a secure, online web-form (Form ADV) through the lARD
system. The lARD system is based upon the CRD (Central Registration Depository) system
for broker-dealers owned and operated by FINRA.
6. Does a personal identifier retrieve the data?
No. lARD can only search the database by name of the investment adviser, CRD number, or
SEC file number.
SECTION II- Attributes of the Data (use and accuracy)
The following questions delineate the uses and accuracy of the data.
1. Describe all uses of the data.
The information collected is used consistent with the routine uses outlined in SORNs SEC
I 0 and SEC-50. Any personal identifiable information collected is used for identification of
owners or the adviser in relation to reviewing the registration requests, conducting
inspections and examinations of the investment adviser, and enforcement actions against the
investment adviser.
2. Does the system analyze data to assist users in identifying previously unknown areas of
note, concern, or pattern? (Sometimes referred to as data mining).
No. lARD is a depository of data from Form ADV. No new data is created.
3. How will the data collected from individuals or derived by the system be checked for
accuracy?
lARD is a depository of data from Form ADV. The data collected is that entered by the
investment adviser. It would be fraudulent to file inaccurate information on Form ADV.
SECTION III- Sharing Practices
The following questions define the content, scope, and authority for information sharing,
internally and externally, which includes Federal, state and local government, and the private
sector.
1. Will the data be shared with any internal or external organizations?
Yes. lARD data (except for social security numbers and private residence addresses) is
publicly available through IAPD (investment adviser public disclosure) website
www.adviserinfo.sec.gov. All SEC divisions and offices may use lARD data, but OCIE, IM,
OlEA, and Enforcement are the primary users. Other government agencies may access and
use the data including State agencies, FBI, and the Department of Labor. Investment Adviser
Act of 1940, section 204 provides that the SEC shall have a "readily accessible electronic or
other process, to receive and promptly respond to inquiries regarding registration information
(including disciplinary actions, regulatory, judicial, and arbitration proceedings, and other
Revised 2009
Page4
�Privacy Impact Assessment
Investment Adviser Registration Depository (lARD)
information required by law or rule to be reported) involving investment advisers and
persons associated with investment advisers."
2. How is the data transmitted or disclosed to the internal or external organization?
Data is obtained online through IAPD using an Internet Web browser based application or by
logging into lARD online via a secure Internet Web browser-based application ..
3. How is the shared data secured by external recipients?
External recipients including State agencies, FBI, and the Department of Labor access the
data via the lARD.
The lARD system has undergone a certification and accreditation review which describes the
IT security requirements and procedures required by federal law and policy to ensure that the
information is appropriately secured.
4. Does the system receive or share Personally Identifiable Information (PII) with any
other SEC systems, including systems hosted by an SEC contractor?
The lARD system may share information with FINRA's CRD system when the adviser is
also registered as a broker-dealer (dual registrant, registered on CRD system and lARD
system).
SECTION IV- Notice to Individuals to Decline/Consent Use
The following questions address actions taken to provide notice to individuals of their right to
consent/ decline to collection and use of information.
1. Was notice provided to the different individuals prior to collection of data?
Yes. The Form ADV contains a Federal Information Law and Requirements section about
the collection and use of the data and a SEC's Collection oflnformation section about the
purpose and use ofthe information.
2. Do individuals have the opportunity and/or right to decline to provide data?
No, the information is required by law or SEC rule to be provided.
3. Do individuals have the right to consent to particular uses ofthe data? If so, how does
the individual exercise the right?
No, the information is required by law or SEC rule to be provided and is public information.
SECTION V- Access to Data (administrative and technological controls)
The following questions describe administrative controls, technical safeguards and security
measures.
1. Has the retention schedule been established by the SEC Records Officer? If so, what is
the retention period for the data in the system?
Currently, all filings on the lARD system are active, none are archived. These records will
be maintained until they become inactive, at which time they will be retired or destroyed in
accordance with records schedules ofthe United States Securities and Exchange Commission
as approved by the National Archives and Records Administration.
Revised 2009
Page 5
�Privacy Impact Assessment
Investment Adviser Registration Depository (lARD)
2. What are the procedures for identification and disposition of the data at the end of the
retention period?
The data will be identified and disposed of using the procedur~s stated above .
3. Describe the privacy training provided to users either generally or specifically relevant
to the program or system?
All SEC staff and contractors receive annual privacy awareness training, which outlines their
roles and responsibilities for properly handling and protecting PII.
4. Will SEC Contractors have access to the system?
Yes, section H.8 Privacy Act and H.9 System Display ofPublic Notices are included the
contract to operate lARD (see contract SECHQ1-09-C-0114).
5. Is the data secured in accordance with FISMA requirements? If yes, when was
Certification & Accreditation last completed?
A certification and accreditation was completed in 2010. Contract SECHQ1-09-C-0114
contains clauses regarding compliance with FISMA.
6. Is the system exposed to the Internet without going through VPN?
If YES, is secure authentication required and is the session encrypted?
The public side ofthe system, IAPD, is open to the public. The filing side and regulatory
side of the system requires an ID and password to access and is a secure, encrypted portal.
7. Are there regular (i.e., periodic, recurring, etc.) data extractions from the system?
If YES, describe the location of the extraction.
SEC staff may occasionally extract data to generate reports. These manual extracts are
maintained in accordance with SEC's policies and procedures for securing PII data
extraction, including securing the extracts in a designated file folders on the office's J drive,
which access is limited to SEC staff with a need to know. In addition, data extracts are
deleted or destroyed after 90 days, unless a business need warrants additional holding of the
data extract e.g., ongoing examination or investigation. Transmission of any data extracts is
done via a secure method or connection, e.g., Outlook encryption tool, SMAIL.
8. Which user group(s) will have access to the system?
All SEC divisions and offices may use lARD data, but OCIE, IM, OlEA, and Enforcement
are the primary users. Other government agencies may access and use the data including
State agencies, FBI, and the Department of Labor. , . .
9. How is access to the data by a user determined? Are procedures documented?
The types of access to lARD are: standard regulator access (view-only access), work queue
access (user can change the registration status of an investment adviser, ie. Approved,
revoked, etc.- SEC's Branch of Registrations and Examinations in OCIE uses this level of
access), Form U6 filing access (user can file a U6 ifneeded- SEC's Office of Secretary may
use this access level), query access (view-only access that can not access aggregated reports
of the data), and administrator access (user can add, delete, or change a users access rights).
Revised 2009
Page 6
�Privacy Impact Assessment
Investment Adviser Registration Depository (lARD)
Yes, access procedures are documented in Attachment 5, "Management And Administration"
ofthe lARD Contract SECHQ1-09-C-0114.
10. How are the assignments of roles and rules verified?
Section 1.7 "Regulator Access" of the lARD Contract delineates the procedures for
assigning, terminating and verifying access to the lARD. Administrator access requires
supervisor approval and contractor review per the contract.
11. What auditing measures/controls and technical safeguards are in place to prevent
misuse (e.g., unauthorized browsing) of the data?
FINRA is responsible for implementing steps to control access, use, disclosure, modification,
and destruction of information. Such steps shall include, at a minimum, identification and
authentication of users and security controls that detect unauthorized access attempts. FINRA
is also required to establish an access control policy which includes features or procedures
that enforce access control measures that provide each user with access to the information to
which they are entitled and no more. Other specifics regarding technical safeguards are
described in the C&A documentation and the lARD Contract SECHQ1-09-C-0114.
SECTION VI- Privacy Analysis
This section discusses the analysis that was performed to identify any potential privacy risks in
the system and the evaluation of any alternatives to mitigate such risks.
Social security numbers is the most sensitive personal identifiable information on lARD. These
numbers are redacted both on the internal lARD and external, public IAPD systems. CRD
numbers are assigned to individuals for use on the Form ADV to add an extra layer to essentially
remove social security numbers from appearing on the Form ADV.
Private residence addresses are redacted from the public site. These addresses would be
disclosed per a FOIA request to our knowledge though as the adviser is conducting business
from this location.
Since the data collected is public and disseminated publicly through a website (IAPD) except for
social security numbers and private residence addresses, the larger focus on security was the
integrity of the data to eliminate the possibility of data corruption or deletion. A secure portal to
the webform is created each time a filer accesses lARD to view or file information. All data
collected through lARD by Form ADV is approved by SEC rule.
Revised 2009
Page 7
�
| File Type | application/pdf |
| File Modified | 2014-06-10 |
| File Created | 2011-07-14 |